Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror
×
Cellphones Google Operating Systems Privacy Security Your Rights Online

Many More Android Apps Leaking User Data 299

eldavojohn writes "After developing and using TaintDroid, several universities found that of 30 popular free Android apps, half were sharing GPS data and phone numbers with advertisers and remote servers. A few months ago, one app was sending phone numbers to a remote server in China but today the situation looks a lot more pervasive. In their paper (PDF), the researchers blasted Google saying 'Android's coarse grained access control provides insufficient protection against third-party applications seeking to collect sensitive data.' Google's response: 'Android has taken steps to inform users of this trust relationship and to limit the amount of trust a user must grant to any given application developer. We also provide developers with best practices about how to handle user data. We consistently advise users to only install apps they trust.'"
This discussion has been archived. No new comments can be posted.

Many More Android Apps Leaking User Data

Comments Filter:
  • by slaxative ( 1867220 ) on Thursday September 30, 2010 @12:34PM (#33749584)
    They finally get to the part I care about, which is the list of apps they tried. Look at page 9 of their paper in PDF format.
    • by Qzukk ( 229616 ) on Thursday September 30, 2010 @12:48PM (#33749842) Journal

      Too bad after listing all the apps and what permissions they requested, they never named which of them misbehaved, only total numbers.

      • Posted in the comments at ars:
        ===================

        SpinyNorman | Thu Sep 30, 2010 8:08 am | permalink
        I wish you chaps would link through to your sources.

        [edit] ah, here we go:http://appanalysis.org/pubs.html

        No details on which apps did what, only summary information. These were the apps:

        The Weather Channel (News & Weather);
        Cestos, Solitaire (Game);
        Movies (Entertainment);
        Babble (Social);
        Manga Browser (Comics)
        Bump, Wertago (Social);
        Antivirus (Communication);
        ABC — Animals, Traffic Jam, Hearts,Blackjack

        • That's a list of the apps they studied, not a list of the apps which they found to be leaking private information. What I, and I suspect others are looking for is a table with the following headers: App Name, Publisher, Permissions, Leaked Information, version number.

          • Re: (Score:3, Insightful)

            by MrHanky ( 141717 )

            The problem with the article is that they label apps as "suspicious" when they work as intended. Bump, for instance, is an information sharing app. It's designed to share your contact info (if you choose so) with other phones. I can't imagine it isn't one of the two apps that transmit the phone number, IMSI, etc., to the app's server, as that's how it's supposed to work.

            Of course, Bump is also available for the iPhone through Apple's app store.

    • And in other news, smartphone security sucks. News at 11.

      • Re: (Score:2, Insightful)

        by BasilBrush ( 643681 )

        All this article shows is that Android security sucks. The whole popping up a dialog to ask the user for technical permissions system is fatally flawed, because most users don't understand and will just hit yes to proceed.

        iPhone don't have the same degree of problem, because this kind of stuff will mean an app won't get into the App Store. Or if it manages to get through, it will be pulled rapidly once the security problem is discovered. That's one of the benefits of a single app store.

        • by MrHanky ( 141717 ) on Thursday September 30, 2010 @02:43PM (#33751584) Homepage Journal

          "One of the benefits of a single app store" -- like the single Android Market, you mean? You don't know how good Apple's security screening is, so you just choose to trust them for no reason whatsoever.

          • by MightyMartian ( 840721 ) on Thursday September 30, 2010 @02:46PM (#33751642) Journal

            Indeed. It just offloads the problem on to someone else. I have no more reason to trust the guys at the App Store are going to be able to find sophisticated security holes. It's just another form of a false sense of security, with the added bonus that those bizarre Apple worshipers get to fit more snuggly into Jobs' uterus, believing themselves safe because their God and Protector wouldn't dare let anything nasty get through.

            • Re: (Score:3, Interesting)

              by davester666 ( 731373 )

              I own an iPhone, iPod Touch and iPad, and am also a developer.

              And I know that apps for them have remarkably free reign over when they can do, what data they have access to, and where they can send the data. And Apple really can't do much to police it, other than to pull the app [and I suppose possibly remotely delete/disable apps] if it is reported that an app is doing something wrong. Because they can really only do black-box testing, as they don't have access to your applications source code, what any a

              • Re: (Score:3, Interesting)

                by AmiMoJo ( 196126 )

                There was a story on /. a couple of years ago about an iPhone app that sent the user's phone number back to the developer, and then he called them trying to sell the paid version. It is hardly a problem just limited to Android.

          • Re: (Score:3, Insightful)

            by bonch ( 38532 )

            You don't know how good Apple's security screening is, so you just choose to trust them for no reason whatsoever.

            You're trusting them because if they fuck up, it's on their hands, and they potentially lose you as a customer.

        • by Dare nMc ( 468959 ) on Thursday September 30, 2010 @03:19PM (#33752134)

          dialog to ask the user for technical permissions system is fatally flawed

          understanding doesn't help me, not sure why it would help others. I think the flaw is it asks too late, and you can't block any of them to still use the App. IE I wanted a app to track car maintenance and MPG, I find the one that looks best, best reviewed... Now it comes up and says it wants phone, and internet access... Not needed for what I wanted, but what do I do now? Look for another, buy, install, and wait to see if it is worse?
          Would be nice if google also disclosed that in the app market before choosing, then maybe developers would explain what they used the connections for...

  • But how? (Score:5, Insightful)

    by Drakkenmensch ( 1255800 ) on Thursday September 30, 2010 @12:37PM (#33749636)

    "We also provide developers with best practices about how to handle user data. We consistently advise users to only install apps they trust.'"

    How exactly is one supposed to do this? What is the process for building trust vis-a-vis apps when the only protection you receive from your service provider is "don't walk into dark alleys you don't trust"?

    • Re: (Score:3, Funny)

      by Anonymous Coward

      For a start, don't install a flashlight app that requests access to network features.

    • Re: (Score:3, Informative)

      by Kenja ( 541830 )
      For example. If the fart sound generator you download needs access to your call log (which you are told when you install it) I wouldn't trust it.
    • Only install apps you trust. Like IE6 and Weatherbug.
    • Re: (Score:2, Interesting)

      Good question. I wanted to install a recipe application by a popular brand name company (although the idea of trust with said company might be a little shaky - their guacamole only contains 2% avocado or somesuch) but I didn't feel right because of the permissions required. This app is available for the iPhone, so I don't know if it comes with the same restrictions. I emailed them asking them why the app needs to know my phone's identity and contact data as well as location. They responded thinking that I h

  • by Nadaka ( 224565 ) on Thursday September 30, 2010 @12:38PM (#33749658)

    Not only the ability to display what permissions an app requests, but the ability to deny the use of those features on a per feature basis for each app.

    For instance, an app may request internet access (cellular radio or wifi), the user should be able to choose to limit that to just wifi or even turn off connectivity for that app all together.

    • by netsharc ( 195805 ) on Thursday September 30, 2010 @12:49PM (#33749856)

      which, incidentally, is what BlackBerry has. You can allow/deny each app permission to access your address book, calendar, internet connection, send SMS, open your mailbox, etc. I don't think even the iOS have that yet (or well, I think it does, but for GPS location only). An app must be prepared to get an "access denied" exception, and survive through it.

      And for corporate users, an admin can even set your phone to not allow installation of custom programs, deny all requests to read the user's calendar/address book (except for a white-list of apps), etc, etc.

      As an Android user I wish Android would copy this feature, and as a fan of superior technology, I wish BlackBerry could promote these security features more.

      • What's interesting is that if an Android app doesn't have permission an exception is raised, but you're taught to make sure to add the permission flag instead of catching the exception. (Which makes sense, because as it stands right now, if you don't set the flag you'll -never- get the permission). But if they had told you to catch the exceptions, applications would be ready for user-flippable permissions.

        • Re: (Score:2, Interesting)

          by Chees0rz ( 1194661 )

          What's interesting is that if an Android app doesn't have permission an exception is raised, but you're taught to make sure to add the permission flag instead of catching the exception. (Which makes sense, because as it stands right now, if you don't set the flag you'll -never- get the permission). But if they had told you to catch the exceptions, applications would be ready for user-flippable permissions.

          Exactly. Take Camera.open for instance. According to the javadocs...

          Throws
          RuntimeException if connection to the camera service fails (for example, if the camera is in use by another process).

          What about a permission exception?!?!

          No - instead they say - "If you want to use the camera, include this catch all crap!"
          <uses-permission android:name="android.permission.CAMERA" / >
          <uses-feature android:name="android.hardware.camera" / >
          <uses-feature android:name="android.hardwa

      • by ADRA ( 37398 )

        As a user, I think it'd be great to have the ability to nuke privileges to certain functions that I don't think that the app should have. Inversely, I think as a developer this would be incredibly frustrating. Taking away the ability to perform functions that very well could be a core function of the app would cause no end of frustration to debug and fix. Plus, bad reviews and crashes relating to stupid permissions filtering just increases the support head-ache of releasing apps.

        I think a happy solution wou

        • by xaxa ( 988988 )

          My five year old Motorola phone had this feature. When a permission was needed it would say allow once, always, or deny. ...posted from Android.

    • How much does the fact that the system/OS was created by Google, which is in the business of trying to mine as much personal data as it can? Is this misplaced trust just because they have a (now jaded) motto of 'do no evil'? People complain about privacy on Facebook while I am concerned more about Google. (Concerned because I can't really worry about something that is very difficult to do anything about by myself.)
    • by OzPeter ( 195038 )

      Not only the ability to display what permissions an app requests, but the ability to deny the use of those features on a per feature basis for each app.

      So the phone needs a decent firewall now?

      • They've needed them for some time, it's just that for some reason they aren't really available yet.
      • by tibman ( 623933 )

        I don't own an android phone yet, but i's linux based.. correct? Linux has a built in firewall via iptables. Why can't they just use that?

  • Prevasive? (Score:2, Troll)

    by jambarama ( 784670 )
    Doesn't someone spellcheck these summaries?
    • Re: (Score:3, Informative)

      It's a perfectly cromulent word comprising of:
      Pre, from the Latin prae meaning before, in front
      evasive, meaning tending or seeking to evade

      This submission was accepted prevasively to editing it.
    • by blueZ3 ( 744446 )

      Don't try to understand the editors. That is impossible. Instead, only try to realize the truth: there are no editors.

  • by sotweed ( 118223 ) on Thursday September 30, 2010 @12:38PM (#33749666)

    It is hard enough to know if I should trust my child, and I raised him. He doesn't
    tell me much. App developers tell me less, and some of them are devious. This is not
    a good security model. And Google knows better.

  • by inviolet ( 797804 ) <slashdotNO@SPAMideasmatter.org> on Thursday September 30, 2010 @12:39PM (#33749678) Journal

    "Android has taken steps to inform users of this trust relationship and to limit the amount of trust a user must grant to any given application developer. We also provide developers with best practices about how to handle user data. We consistently advise users to only install apps they trust." -- Google

    What a bunch of fluff. The relevant developers don't care about "best practices" or any other voluntary standard. And how the f*** are users supposed to establish trust in certain apps? The platform does not significantly monitor an application's ongoing behavior, nor is anyone performing serious code-reviews or blackbox testing. Google COULD HAVE set up profiling tests similar to those run in TFA, but didn't.

    For ONCE would a company please admit that they reduced privacy in order to provide the dumbed-down usability needed to capture market share and attract developers?

    • Re: (Score:3, Interesting)

      I don't see the big deal with this. Android gives you infinitely more information about what an app is going to do than anything on the PC.

      On my phone, I'll at least know if the app is going to look at my location, contacts, etc. and can make the choice to install it or not.

      On my PC, all I know is that I'm downloading some binary data that could do anything it wanted.

      It's not that hard. If you download a game that wants access to your contact data and full internet access, don't install it. Yes, even if

  • A checklist (Score:5, Interesting)

    by Caerdwyn ( 829058 ) on Thursday September 30, 2010 @12:48PM (#33749844) Journal

    Rather than a blanket "you can send anything you want anywhere you want/you can send nothing to anywhere" switch, a finer-grained constrained set of permissions may be the way to go. Specifically:

    • Commonly-requested data such as location and phone number are sent through specific APIs that ONLY send the requested info, and cannot send any other data. This data is sent not directly to whatever server, but to servers at the network provider, and the app provider picks them up from the network provider. This prevents arbitrary data from being sent when the claim that it is only a specific piece of data, allows "bad" apps (defined by deception, prohibited use or incomplete disclosure) to be cut off at the network provider when discovered, and allows vetting of outgoing data to ensure it meets the claimed destination.
    • Transaction logs must be kept and be accessible to allow a user to see what's going out. Yes, most end users won't be able to make sense of the logs. But these logs could be uploaded to a security software provider for analysis, and the results presented in an understandable manner. "DroidGameApp: Microphone activated and streamed, GPS info, phone number sent to www.dhs.gov"
    • Information collection by ads should be governed by a different set of permissions than the app presenting the ads. Ad-supported apps are fine, but the user should know what ads are doing on the network independent of the app.

    And if an app provider doesn't like the light shone on their activities... that's a pretty good indicator right there.

    • by ADRA ( 37398 )

      "Information collection by ads should be governed by a different set of permissions than the app presenting the ads. Ad-supported apps are fine, but the user should know what ads are doing on the network independent of the app."

      I think that is the strategy of 'Google ads' being served through apps, but I'm not sure if they've actually done that yet. AdMob (which is now Google as well) definitely needs internet and possibly coarse location if the dev wants to allow for geo sensitive ads. It would be nice to

      • by blueZ3 ( 744446 )

        I have a sneaking suspicion of collusion between wireless carriers and phone providers, that goes something like:

        1. Have developers offer "free" ad-supported apps which helps sell phone
        2. Cap bandwidth by which ads are served
        3.????
        4. Profit !

  • by DdJ ( 10790 ) on Thursday September 30, 2010 @12:58PM (#33750040) Homepage Journal
    • ...after all, many more users are leaking Android app data.

      They should see their primary care physician.

  • Android gives users and developers a lot more freedom than other alternatives - with that comes responsibility for both parties. If you want a platform where you are told what to, when to do it, and whom you can do it to get an iPhone.
  • When you incorporate advertising "services" and usage statistic tools into your apps, this is what happens. You get the convenience of "free" tools which make your life easier; either by automatically handling ad imprints (and earning you some money); or by providing you with app usage statistics -- or both.

    On the surface you don't pay anything for these tools. They integrate nicely into your app, and you only have to add a few lines of code -- the essence of what good developer's tool should provide.

  • "...half were sharing GPS data and phone numbers with advertisers and remote servers."

    Two words: DOUCHE.BAGS.

  • by Terazilla ( 1545215 ) on Thursday September 30, 2010 @01:24PM (#33750460)
    I don't get it, why is this being positioned as an Android problem? Last I checked, iPhone apps aren't even required to tell you what data they use in the first place -- is there an iPhone equivalent to the "uses internet access", "uses coarse location services" page that the Android Market displays to you? There's a ton of iPhone, Blackberry, Parlm, etc apps using advertising support, which is what the vast majority of this article is finger-pointing.

    Nobody, at any marketplace service, is going to have time to do a code review of everything that gets submitted. Even console games -- which have a months-long and intensely painful approval process the likes of which you've never seen -- don't do code review. The very concept is ridiculous, there's way too much code and way too many people involved. You're going to have to trust your developers folks, and make use of the user-ratings tools if you don't.

    Android's model of showing you what special access the software uses is about as good as I think you can get in the real world without learning to use a packet sniffer. RIM's ability to disable individual types of access is cool as well, but if the software needs it to function (or says it does) I'm not sure how the user is supposed to be in a position to use it intelligently. To avoid these sort of data harvesting problems, they'd have to somehow psychically know that the contact manager they're trying out uses that internet access for more than the occasional ad serve, and how would they know that?
    • by jjohnson ( 62583 )

      When an iDevice app tries to read your location, it requires your permission to access that data. That's enforced by iOS, it's not an honor thing. The first time it tries to do so, iOS pops an alert saying "this app wants to access your location. Allow/Deny".

    • Re: (Score:3, Insightful)

      ...is there an iPhone equivalent to the "uses internet access", "uses coarse location services" page that the Android Market displays to you?

      Yes. Both systems use similar schemes for jailing apps, with user permissions for access to various services.

      There's a ton of iPhone, Blackberry, Parlm, etc apps using advertising support, which is what the vast majority of this article is finger-pointing.

      True, but most are transitioning to iAd, which divorces the advertiser and location services from one another such that it is not so much of privacy concern.. at least if you trust Apple to do what they say (as opposes to every app developer).

      Nobody, at any marketplace service, is going to have time to do a code review of everything that gets submitted.

      Well, they could if they put the resources into it. It might even be important enough to end users if malware becomes a real issue on mobile platforms. That s

  • Add Access Control Lists to the functions/API which grants access to personal data (such as email address, phone numbers/lists, browsing history, GPS location). Since it is an open platform, we can do this ourselves if we want. All applications which attempt to access such data will be verified against the ACL to see if it can receive such information. If the application is not on the ACL, then, the API returns either an error code (which requires the current applications to be recompiled...), or an empty r
  • by d_engberg ( 226359 ) on Thursday September 30, 2010 @01:29PM (#33750552)

    The headline doesn't really match the contents of the paper as far as I can tell.
    For example, "Evernote" is listed in the paper for:
    1) Taking pictures with the camera
    2) Recording audio with the microphone
    3) Determining your location
    And for transmitting this data to its servers.

    These functions are, however, exactly what the application is designed for. You take notes (including snapshot notes and voice notes) and upload them to your account. When you launch the app, there are big buttons for "take a snapshot note" , "take an audio note", etc. Geo-tagging via the location APIs can be disabled from the Settings page, but this is another core advertised feature of the product.

    So this is a bit like making it into Slashdot by discovering that a mail client transmits text that you type (and your email address!) to a mysterious "SMTP" server.
    Headline: "Researchers discover nefarious 'e-mail' application leaking your data ... on the INTERNET!"

  • Personally, I think this is going to be a larger issue as time goes on. Right now, it's more of an annoyance with advertisers and marketing companies, but who's to say that in the near future some other companies don't start providing apps that track users for other reasons.

    Could you imagine a company that provides location data for your ex-spouse, or perhaps girlfriend or boyfriend, or even your children? I know this is kind of tin-foil hat paranoia, but I think the recent problems with things like the Go

  • The apps aren't leaking information. Leaking implies the information is being sent accidentally.

    The apps are taking the information and sending it to whomever intentionally.

  • by Anonymous Coward

    sorry to piss on the fanbois flames spouting "iPhones walled garden is much safer" and other such uninformed crap
    the iPhone App Stores dirty secret is its worse, much worse

    http://www.slashgear.com/iphone-spyware-debated-as-app-library-phones-home-1752491/ [slashgear.com]

    http://gadgets.boingboing.net/2009/04/13/pinch-media-statisti.html [boingboing.net]

  • The last time this issue came up, I started sending emails to the developers of my apps challenging their need for permissions that don't seem to make sense. I got several replies that stated that the legitimate permission the developer needs is buried under overly broad packages.

    For example, a battery monitor app needs to request access to "Phone Calls" to read the battery state.

    With such granularity developers can't be responsibly specific and end users have no rational way to accept/reject apps based on

  • There's a Mac program called Little Snitch which tells you which apps are sending out data, and what kind, and where it's headed. Any idea if there's a similar program for Android? I don't so much mind that some apps can do things they don't need to. But if users can identify which ones it would help a lot.

Experiments must be reproducible; they should all fail in the same way.

Working...